The Password Problem: Why World Password Day Still Matters in the Age of Phishing-Resistant MFA

In an ideal world, we wouldn’t need a “World Password Day.” The concept feels almost quaint: a day to remind people to not use “password123” for everything. Yet, here we are—celebrating it again in 2025, in a landscape where credentials remain one of the weakest links in cybersecurity.

“One might hope that nowadays users possess a thorough understanding of the importance of secure passwords,” says Darren James, Senior Product Manager at Specops Software. But hope, as the saying goes, isn’t a strategy. Specops’ latest Breached Password Report shows that users are still relying on embarrassingly simple base terms—“admin,” “qwerty,” “welcome”—and worse, reusing them across work and personal devices. “Although an organization’s password policy may be strong and in line with compliance regulations, it cannot prevent passwords from being stolen by malware,” James warns. “We see many stolen passwords exceeding the length and complexity requirements in common cybersecurity regulations.”

It’s a sobering reality: a password can check every compliance box and still be a ticking time bomb. That’s why James urges organizations to proactively scan their Active Directory for compromised passwords and block their use. Otherwise, they risk unknowingly handing over the keys to attackers.

Credential Stuffing: The Domino Effect of One Bad Password

The implications of password reuse aren’t confined to an individual’s inbox. “Reusing passwords across different websites and services can be a catastrophic mistake,” warns Erich Kron, security awareness advocate at KnowBe4. A breach at a hobby forum might seem trivial—until attackers weaponize stolen credentials through credential stuffing, rapidly testing them against banking portals, online retailers, and email services.

It’s the digital equivalent of a burglar trying every key on a keyring until one opens your front door.

Kron emphasizes that multifactor authentication (MFA) is critical for mitigating these risks. “While not foolproof, it makes it much tougher for cybercriminals to log into an account even if they steal your credentials,” he says. Many banking, credit card, and social media platforms now offer MFA, yet adoption remains inconsistent.

The Password Manager Dilemma

Despite constant warnings, most users still juggle passwords in their heads or save them in browsers—a convenience that can quickly turn into a liability. “Browsers make it easy to save passwords, and while convenient, their security controls aren’t as robust as a password manager,” cautions James McQuiggan, another security awareness advocate at KnowBe4. If an attacker gains access to your browser, they can extract saved credentials with alarming ease.

A dedicated password manager, by contrast, encrypts credentials and offers other perks—secure password sharing, for example. “Don’t just send passwords via WhatsApp, email, Slack or similar insecure medium,” says Javvad Malik, lead security awareness advocate at KnowBe4. “Use the secure sharing features available in your password manager.”

But even password managers aren’t a silver bullet. “If you are worried about keeping all your eggs in one basket or what could happen if your password manager gets compromised, you could add an extra layer of security with a secret ‘salt’ for high-value accounts,” advises Anna Collard, SVP of content strategy & security awareness advocate at KnowBe4. This extra, memorized component—never stored digitally—ensures that even if your password vault is breached, attackers still don’t have the complete credentials for your bank or investment accounts.

Moving Beyond Passwords

Security experts are increasingly aligned on a key point: the future needs to be passwordless. “Whenever possible, use PHISHING-RESISTANT MFA instead of passwords to protect valuable data and systems,” urges Roger A. Grimes, KnowBe4’s data-driven defense evangelist. Hardware tokens like YubiKeys and FIDO2/WebAuthn solutions offer robust, phishing-resistant authentication that doesn’t depend on memorized strings.

Grimes isn’t pulling punches on password strength either: “If you must make up a password from your head, it should be 20-characters or longer to repel all known types of password attacks.” And don’t get too comfortable with your credentials. “Change all your passwords at least once a year, to prevent a stolen password from being good forever, just waiting for a hacker to use,” he adds.

Another often overlooked vulnerability: stale or forgotten credentials. McQuiggan recommends a regular audit. “Review your password manager bi-annually or quarterly to remove old or unused entries, check for MFA availability on accounts with personal information and update any reused passwords.”

And passwords aren’t just about user logins anymore. “API keys and secrets are passwords too,” Malik warns. “Stop committing secrets to GitHub like AWS keys, database credentials and API tokens.” These overlooked credentials can open doors for attackers to access cloud infrastructure or databases.

A Long Road Ahead

Ultimately, World Password Day isn’t just a calendar marker—it’s a reminder of how far we’ve come, and how far we still need to go. “Global awareness campaigns are needed to educate on best password practices and for organizations to rethink how to secure their digital environments,” James emphasizes.

As authentication shifts toward phishing-resistant MFA and passwordless architectures, users still play a pivotal role. Until the day we can finally retire the password, we’re stuck in a balancing act between convenience, complexity, and security.

And maybe—just maybe—next year’s World Password Day will be a little less necessary.